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METHOD OF CIPHERING DATA TRANSMISSION IN A RADIO SYSTEM 

FIELD OF INVENTION 

The invention relates to a method of ciphering data transmission in 
a radio system. 

5 BACKGROUND OF INVENTION 

Ciphering is today used in many data transmission systems to 
prevent the data transmitted from falling into the hands of an unauthorized 
user. The ciphering has grown in significance in the past few years, particularly 
as wireless telecommunication has become more common. 

10 The ciphering can be performed, for example, by encrypting the 

information to be transmitted in a transmitter, and by decrypting the 
information in a receiver. In the encryption means the information to be 
transmitted, for example a bit stream, is multiplied by a certain number of 
encryption bit patterns, whereby it is difficult to find out what the original bit 

15 stream was if the encryption bit pattern used is unknown. 

In a digital GSM system, for example, ciphering is performed on the 
radio path: a ciphered bit stream to be transmitted onto the radio path is 
formed by XORing data bits with ciphering bits, the ciphering bits being formed 
by an algorithm known per se (the A5 algorithm), using a ciphering key Kc. 

20 The A5 algorithm encrypts the information transmitted on the traffic channel 
and the DCCH control channel. 

The ciphering key Kc is set when the network has authenticated the 
terminal but the traffic on the channel has not yet been ciphered. In the GSM 
system the terminal is identified on the basis of the International Mobile 

25 Subscriber Identity IMSI, which is stored in the terminal, or the Temporary 
Mobile Subscriber Identity TMSI, which is formed on the basis of the 
subscriber identity. A subscriber identification key Ki is also stored in the 
terminal. A terminal identification key is also known to the system. 

In order that the ciphering would be reliable, information on the 

30 ciphering key Kc must be kept secret. The cipher key is therefore transmitted 
from the network to the terminal indirectly. A Random Access Number RAND 
is formed in the network, and the number is then transmitted to the terminal via 
the base station system. The ciphering key Kc is formed by a known algorithm 
(the A5 algorithm) from the random access number RAND and the subscriber 



identification key Ki. The ciphering key Kc is computed in the same way both 
in the terminal and in the network part of the system. 

In the beginning, data transmission on a connection between the 
terminal and the base station is thus not ciphered. The ciphering does not start 
5 until the base station system sends the terminal a cipher mode command. 
When the terminal has received the command, it starts to cipher data to be 
sent and to decipher received data. Correspondingly, the base station system 
starts to decipher the received data after sending the cipher mode command 
and to cipher the sent data after the reception and successful decoding of the 

10 first ciphered message from the terminal. In the GSM system the cipher mode 
command comprises a command to start ciphering, and information on the 
algorithm to be used. 

The problem in the known methods is that they have been designed 
for the present systems, wherefore they are inflexible and not suited for the 

15 ciphering of data transmission in new systems, where several parallel services 
for one mobile station are possible. If we use the same ciphering mask twice 
for two or more parallel protocol data units that will be sent using the same air 
interface frame, then an eavesdropper may deduce a lot of information from 
the data streams. The amount of information that can be deduced depends on 

20 the structure of the data streams. From random data that has no structure one 
cannot obtain any information, but usually there is a structure in the data, 
especially in the signaling data. 

BRIEF DESCRIPTION OF INVENTION 

It is an object of the invention to provide a method, and a user 

25 equipment and a radio network subsystem implementing the method, solving 
the above problems. This is achieved with a method of ciphering data 
transmission in a radio system, comprising: generating a ciphering key; 
producing a ciphering mask in a ciphering algorithm using the ciphering key as 
an input parameter; producing ciphered data by applying the ciphering mask to 

30 plain data. Using a logical channel specific parameter or a transport channel 
specific parameter as an additional input parameter to the ciphering algorithm. 

The invention also relates to a user equipment, comprising: 
generating means for generating a ciphering key; a ciphering algorithm 
connected with the generating means for producing a ciphering mask using 

35 the ciphering key as an input parameter; ciphering means connected with the 
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ciphering algorithm for producing ciphered data by applying the ciphering 
mask to plain data. The ciphering algorithm uses a logical channel specific 
parameter or a transport channel specific parameter as an additional input 
parameter. 

5 The invention further relates to a radio network subsystem, 

comprising: generating means for generating a ciphering key; a ciphering 
algorithm connected with the generating means for producing a ciphering 
mask using the ciphering key as an input parameter; ciphering means 
connected with the ciphering algorithm for producing ciphered data by 
10 applying the ciphering mask to plain data. The ciphering algorithm uses a 
logical channel specific parameter or a transport channel specific parameter as 
an additional input parameter. 

The preferred embodiments of the invention are claimed in the 
dependent claims. 

1 5 Several advantages are achieved with the invention. In the solution 

of the present invention, ciphering and its properties can be flexibly controlled. 
The present invention enhances user security in new radio systems. This 
solution is also better than the known technique, which uses a long enough 
ciphering mask only once for each air interface frame, because it allows 

20 distributed implementation of the needed functionality in the protocol stack. 

BRIEF DESCRIPTION OF FIGURES 

In the following the invention will be described in greater detail by 
means of preferred embodiments and with reference to the attached drawings, 
in which 

25 Figures 1A and 1B illustrate an example of a mobile telephone 

system; 

Figure 2A illustrates a transmitter and a receiver; 
Figure 2B illustrates transport channel coding and multiplexing; 
Figure 3 illustrates a frame structure; 
30 Figures 4A, 4B and 4C show a block diagram of a ciphering 

environment according to the invention; 

Figure 5 illustrates a mobile station 

Figure 6 is a flow diagram illustrating a method according to the 

invention; 

35 Figure 7A illustrates an example of a protocol stack; 
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Figure 7B illustrates an example of a protocol stack according to the 

invention; 

Figure 7C illustrates mapping between logical channels and 
transport channels; 

5 Figure 8 illustrates the structure of a Medium Access Control Layer 

Protocol Data Unit. 

DETAILED DESCRIPTION OF INVENTION 

The present invention can be used in different mobile telephone 
systems. In the following examples, the use of the invention is described in the 

10 Universal Mobile Telephone System (UMTS) without restricting the invention 
to it. The examples illustrate the FDD (Frequency Division Duplex) operation of 
the UMTS, but do not restrict the invention to it. 

With reference to Figures 1A and 1B, a typical mobile telephone 
system structure will be described. Figure 1B only comprises the blocks that 

15 are essential for the description of the invention, although it is apparent to a 
person skilled in the art that a common mobile telephone system also 
comprises other functions and structures, which need not be discussed in 
greater detail here. The main parts of the mobile telephone system are: a core 
network CN, a UMTS terrestrial radio access network UTRAN, and a user 

20 equipment UE. The interface between the CN and the UTRAN is called the lu 
interface, and the interface between the UTRAN and the UE is called the Uu 
interface. 

The UTRAN is composed of radio network subsystems RNS. The 
interface between two RNSs is called the lur interface. The RNS is composed 
25 of a radio network controller RNC and one or more node Bs B. The interface 
between the RNC and the node B is called the lub interface. The reception 
area of the node B, i.e. cell, is denoted in Figure 1 A by C. 

As the presentation in Figure 1A is very abstract, it is clarified in 
Figure 1B by setting forth the parts of the GSM system that correspond to the 
30 parts of the UMTS. It is clear that the presented mapping is by no means a 
binding one but an approximation, because the responsibilities and functions 
of the parts of the UMTS are still being planned. 

Figure 1B illustrates a packet switched transmission via Internet 102 
from a computer 100 connected with the mobile telephone system to a 
35 portable computer 122 connected with a user equipment UE. The user 



equipment UE may be a fixedly mounted wireless local loop terminal, a 
vehicle-mounted terminal or a hand-held portable terminal, for example. 

The infrastructure of the radio network UTRAN is composed of radio 
network subsystems RNS, i.e. base station subsystems. The radio network 
5 subsystem RNS is composed of a radio network controller RNC, i.e. a base 
station controller, and at least one node B, i.e. a base station, under the 
control of the RNC. 

The node B comprises a multiplexer 114, transceivers 116, and a 
control unit 118 which controls the operation of the transceivers 116 and the 
10 multiplexer 114. The multiplexer 114 arranges the traffic and control channels 
used by a plurality of transceivers 116 on a single transmission connection 
lub. 

The transceivers 116 of the node B have a connection to an 
antenna unit 120 which is used for providing a bi-directional (or sometimes 

15 one-way) radio connection Uu to a user equipment UE. The structure of the 
frames transmitted on the radio connection Uu is determined in detail and the 
connection is referred to as an air interface. 

The radio network controller RNC comprises a group switching field 
110 and a control unit 1 12. The group switching field 1 10 is used for switching 

20 speech and data and for connecting signaling circuits. The node B and the 
radio network controller RNC form a base station subsystem, which 
additionally comprises a transcoder, also known as a speech codec, or TRAU 
(Transcoder and Rate Adapter Unit) 108. 

The division of the functions and the physical structures of the radio 

25 network controller RNC and the node B may differ according to the actual 
realization of the radio network subsystem. Typically, the node B implements 
the radio connection. The radio network controller RNC typically manages the 
following: radio resource control, inter-cell handover control, power control, 
timing and synchronization, and paging for user equipment. 

30 The transcoder 108 is usually located as close to a mobile switching 

center 106 as possible because this allows speech to be transmitted between 
the transcoder 108 and the radio network controller RNC in a cellular radio 
network form, which saves transmission capacity. 

The transcoder 108 converts different digital speech coding modes 

35 used between a public switched telephone network and a cellular radio 
network to make them compatible, for instance from the 64 kbit/s fixed network 
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form to another form (such as 13 kbit/s) of the cellular radio network, and vice 
versa. Naturally, the transcoding is carried out only for speech. The control 
unit 112 carries out call control, mobility management, collection of statistical 
data and signaling. 

5 The core network CN is composed of the infrastructure belonging to 

the mobile telephone system which is not part of the UTRAN. Figure 1B 
illustrates two equipments, which are part of the core network CN, namely a 
mobile switching center 106, and a gateway mobile switching center 104, 
which handles mobile telephone system interfaces towards the outside world, 

10 in this example towards the Internet 102. 

Figure 5 illustrates an exemplary structure of the user equipment 
UE. The essential parts of the user equipment UE are: an interface 504 to the 
antenna 502 of the user equipment UE, a transceiver 506, a control part 510 
of the user equipment UE, an interface 512 to the battery 514, and a user 

15 interface comprising a display 500, a keyboard 508, a microphone 516 and a 
speaker 518. 

Figure 2A illustrates the functioning of a radio transmitter/radio 
receiver pair. The radio transmitter may be located in the node B or in the user 
equipment. Correspondingly the radio receiver may be located in the user 

20 equipment or in the node B. 

The upper portion of Figure 2A illustrates the essential functionality 
of the radio transmitter. Different services placed in a physical channel are, for 
example, speech, data, moving or still video picture, and the control channels 
of the system that are processed in the control part 214 of the radio 

25 transmitter. The control part 214 is related to the control of the equipment itself 
and to the control of the connection. Figure 2A illustrates manipulation of two 
different transport channels 200A, 200B. Different services call for different 
source encoding equipment: speech for example calls for a speech codec. For 
the sake of clarity, source encoding equipment is not, however, presented in 

30 Figure 2A. 

First the logical channels are ciphered in blocks 216A, 216B. In the 
ciphering, ciphered data is produced by applying a ciphering mask to plain 
data. Then the ciphered data is placed in the transport channel in blocks 200A t 
200B. As later will be explained with reference to Figures 4A, 4C and 7B the 
35 ciphering can be performed either for a logical channel or for a transport 
channel. Different channels are then channel encoded in blocks 202A and 



202B. One form of channel coding is different block codes, one example of 
which is a cyclic redundancy check, or CRC. Another typical way of performing 
channel coding is convolutional coding and its different variations, such as 
punctured convolutional coding and turbo coding. 
5 Having been channel encoded, the channels are interleaved in an 

interleaver 204A, 204B. The object of the interleaving is to make error 
correction easier. In the interleaving, the bits are mixed with each other in a 
predetermined fashion, so that transitory fading on the radio path does not 
necessarily make the transferred information unidentifiable. 

10 Different signals are multiplexed in block 208 so that they can be 

sent using the same transmitter. 

The interleaved encrypted bits are then spread with a spreading 
code, scrambled with a scrambling code, and modulated in block 206, whose 
operation is described in detail in Figure 2B. 

15 Finally, the combined signal is conveyed to the radio frequency 

parts 210, which may comprise power amplifiers and bandwidth restricting 
filters. An analog radio signal is then transmitted through an antenna 212 to 
the radio path Uu. 

The lower portion of Figure 2A illustrates the typical functionality of 

20 a radio receiver. The radio receiver is typically a Rake receiver. The analog 
radio signal is received from the radio path Uu by an antenna 234. The 
received signal is conveyed to radio frequency parts 232, which comprise a 
filter that blocks the frequencies outside the desired frequency band. A signal 
is then converted in a demodulator 228 into an intermediate frequency or 

25 directly into baseband, and in this form the signal is sampled and quantized. 

Because the signal in question is a multipath propagated signal, 
efforts are made to combine the signal components propagated on different 
multipaths in block 228, which comprises several Rake fingers. 

In a so-called rowing Rake finger, delays for the different multipath 

30 propagated signal components are searched. After the delays have been 
found, different Rake fingers are allocated for receiving each of the multipath 
propagated signals by correlating the received signal with the used spreading 
code delayed with the found delay of that particular multipath. The different 
demodulated and despread multipaths of the same signal are then combined 

35 in order to obtain a stronger signal. 

The received physical channel is then demultiplexed in a 



demultiplexer 224 into data streams of different channels. The channels are 
then directed each to a de-interleaver 226A, 226B, where the received 
physical channel is then de-interleaved. After that the physical channels are 
processed in a specific channel decoder 222A, 222B, where the channel 
5 coding used in the transmission is decoded. Convolutional coding is 
advantageously decoded with a Viterbi decoder. After this the transport 
channels are mapped to the logical channels in blocks 200A, 200B, or the 
other possibility is that the deciphering is performed for the transport channels. 
The channel decoded channels (logical or transport) are deciphered in blocks 
10 220A, 220B by applying a ciphering mask to the received data. Each received 
logical channel can be further processed, for example, by transferring the data 
to the computer 122 connected with the user equipment UE. The control 
channels of the system are conveyed to the control unit 236 of the radio 
receiver. 

15 Figure 2B illustrates how the transport channels are coded and 

multiplexed. In principle, Figure 2B is in part the same as Figure 2A but seen 
from another perspective. In blocks 240A, 240B a Cyclic Redundancy Check 
is added to each Transport Block. Interleaving is performed in two stages, in 
blocks 242A, 242B and 246. When two or more services having different 

20 quality of service requirements are multiplexed into one or more physical 
channels, then service specific rate matching 244 is used. In rate matching the 
channel symbol rates are adjusted to an optimum level, where the minimum 
quality of service requirement of each service is fulfilled with the same channel 
symbol energy. Mapping of the transport channels to physical channels is 

25 performed in block 248. 

As the ciphering is the key issue in the current invention, its 
principle will be next described in more detail. In Table 1 the first row 
represents the plain data bits that have to be transmitted to the recipient. The 
bits on the second row constitute a ciphering mask. The ciphering mask is 

30 applied to the plain data, usually by using the exclusive-or operation, i.e. XOR. 
The resulting ciphered data is on the third row. This ciphered data is sent 
through the air interface to the recipient. The recipient then performs 
deciphering by applying the same ciphering mask that has been used in the 
transmitter to the received data. The fourth row is a ciphering mask that is 

35 summed with the third row by using the XOR operation. The resulting 
recovered data is presented on the fifth row. As we will see, the recovered 



data is the same as the plain data. 
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Plain data 
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1 


1 


1 


0 


1 


0 


0 


1 


1 


1 


0 


0 


1 


1 


1 


0 


0 


0 


Ciphering mask 


0 


0 


1 


0 


1 


0 


1 


0 


0 


0 


1 


0 


0 


0 


0 


1 


1 


1 


1 


Ciphered data 


0 


1 


0 


1 


1 


1 


1 


0 


1 


1 


0 


0 


0 


1 


1 


1 


1 


1 


1 


Ciphering mask 


0 


0 


1 


0 


1 


0 


1 


0 


0 


0 


1 


0 


0 


0 


0 


1 


1 


1 


1 


Recovered data 


0 


1 


1 


1 


0 


1 


0 


0 


1 


1 


1 


0 


0 


1 


1 


1 


0 


0 


0 



Table 1 

5 Figure 3 shows an example of a frame structure used on a physical 

channel. Frames 340A, 340B, 340C, 340D are given a running number from 
one to seventy-two, and they form a 720-millisecond long super frame. The 
length of one frame 340C is ten milliseconds. The frame 340C is divided into 
sixteen slots 330A, 330B, 330C, 330D. The length of slot 330C is 0.625 

10 milliseconds. One slot 330C corresponds typically to one power control period, 
during which the power is adjusted for example by one decibel up or down. 

The physical channels are divided into different types, including 
common physical channels and dedicated physical channels. 

The common physical channels are used to carry the following 

15 transport channels: PCH, BCH, RACH and FACH. 

The dedicated physical channels consist of dedicated physical data 
channels (DPDCH) 310 and dedicated physical control channels (DPCCH) 
312. The DPDCHs 310 are used to carry data 306 generated in layer two of 
the OSI (Open Systems Interconnection) model and layers above it, i.e. dedi- 

20 cated control channels (DCH). The DPCCHs 312 carry the control information 
generated in layer one of the OSI model. Control information comprises: pilot 
bits 300 used in channel estimation, feedback information (FBI) 308 transmit 
power-control commands (TPC) 302, and optionally a transport format 
combination indicator (TFCI) 304. The TFCI 304 tells the receiver the transport 

25 formats of different transport channels, i.e. Transport Format Combination, 
used in the current frame. 

As can be seen from Figure 3, the down-link DPDCHs 310 and 
DPCCHs 312 are time multiplexed into the same slot 330C. In the up-link the 
channels are sent in paraliel so that they are IQ/code multiplexed (I = in- 

30 phase, Q = quadrature) into each frame 340C. 



10 

The channels in the radio interface Uu are processed according to a 
protocol architecture comprising, according to the ISO (International 
Standardization Organization) OSI (Open Systems Interconnection) model, 
three protocol layers: a physical layer (= layer one), a data link layer (= layer 
5 two), and a network layer (= layer three). The protocol stacks are located both 
in the radio network subsystem RNS and in the user equipment UE. Each unit 
(e.g. user equipment, or radio network subsystem) has a layer which is in 
logical communication with a layer of another unit. Only the lowest, physical 
layers communicate with each other directly. The other layers always use the 

10 services offered by the next, lower layer. The message must thus physically 
pass in the vertical direction between the layers, and only in the lowermost 
layer the message passes horizontally between the layers. Figure 7A 
illustrates the layers of the protocol architecture. The ovals between different 
sub-layers indicate service access points (SAP). 

15 The physical layer L1 offers different transport channels to the MAC 

sub-layer MAC and higher layers. The physical layer transport services are 
described by how and with what characteristics data is transferred over the 
radio interface. The transport channels include a Paging Channel PCH, 
Broadcast Channel BCH, Synchronization Channel SCH, Random Access 

20 Channel RACH, Forward Access Channel FACH, Down-link Shared Channel 
DSCH, Fast Up-link Signaling Channel FAUSCH, and Dedicated Channel 
DCH. The physical layer L1 maps transport channels with physical channels. 
In the FDD (Frequency Division Duplex) mode a physical channel is 
characterized by the code, frequency and, in the up-link, the relative phase 

25 (l/Q). In the TDD (Time Division Duplex) mode the physical channel is also 
characterized by the time slot. 

The transport channels may be divided into common channels 
(where there is a need for in-band identification of the UEs when particular 
UEs are addressed) and dedicated channels (where the UEs are identified by 

30 the physical channel, i.e. code and frequency for the FDD and code, time slot 
and frequency for the TDD). 

The common transport channel types are as follows. The RACH is a 
contention based up-link channel used for transmission of a relatively small 
amount of data, for example of initial access or non-real-time dedicated 

35 control or traffic data. The FACH is a common down-link channel without 
closed-loop power control used for transmission of a relatively small amount of 
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data. The DSCH is a down-link channel shared by several UEs carrying 
dedicated control or traffic data. The BCH is a down-link channel used for 
broadcasting system information to an entire cell. The SCH is a down-link 
channel used for broadcasting synchronization information to an entire cell in 
the TDD mode. The PCH is a down-link channel used for broadcasting control 
information to an entire cell allowing efficient UE sleep mode procedures. 

The dedicated transport channel types, in turn, are as follows. The 
DCH is a channel dedicated to one UE used in up-link or down-link. The 
FAUSCH is an up-link channel used to allocate dedicated channels in 
conjunction with the FACH. The data link layer is divided into two sub-layers: a 
MAC sub-layer (Medium Access Control) and a RLC sub-layer (Radio Link 
Control). The MAC sub-layer L2/MAC offers different logical channels to the 
RLC sub-layer L2/RLC. The logical channel is characterized by the type of 
information that is transferred. The logical channels include a Paging Control 
Channel PCCH, Broadcast Control Channel BCCH, Synchronization Control 
Channel SCCH, Common Control Channel, Dedicated Control Channel DCCH 
and Dedicated Traffic Channel DTCH. 

The control channels are used for transfer of control plane 
information only. The SCCH is a down-link channel for broadcasting 
synchronization information in case of TDD (Time Division Duplex) operation. 
The BCCH is a down-link channel for broadcasting system control information. 
The PCCH is a down-link channel that transfers paging information. The 
CCCH is a bi-directional channel for transmitting control information between 
the network and the UEs. This channel is commonly used by the UEs having 
no RRC connection with the network. The DCCH is a point-to-point bi- 
directional channel that transmits dedicated control information between the 
UE and the network. This channel is established through an RRC connection 
setup procedure. 

The traffic channels are used for the transfer of user plane 
information only. The DTCH is a point-to-point channel, dedicated to one UE, 
for the transfer of user information. A DTCH can exist in both up-link and 
down-link. 

The MAC layer maps logical channels with transport channels. One 
of the functions of the MAC sub-layer is to select the appropriate transport 
format for each transport channel depending on the momentary source bit 
rate. 
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Figure 7C illustrates mapping between logical channels and 
transport channels. An SCCH is connected to an SCH. A BCCH is connected 
to a BCH. A PCCH is connected to a PCH. A CCCH is connected to a RACH 
and a FACH. A DTCH can be connected to either a RACH and a FACH, to a 
RACH and a DSCH, to a DCH and a DSCH, or to a DCH. A DCCH can be 
connected to either a RACH and a FACH, to a RACH and a DSCH, to a DCH 
and a DSCH, to a DCH, or to a FAUSCH. 

The third layer L3 has a RRC sub-layer (Radio Resource Control) 
that handles the control plane signaling of layer three between the user 
equipment and the network. Among the functions carried out by the RRC sub- 
layer are assignment, reconfiguration and release of radio resources for the 
RRC connection. So the RRC sub-layer handles the assignment of the radio 
resources required for the RRC connection, including the requirements of both 
the control and the user plane. The RRC layer may reconfigure radio 
resources during an established RRC connection. 

In the present invention we are interested in the encryption of the 
different services' data flows of one user. According to the known techniques, 
all data flows would be encrypted using the same ciphering mask. 

The method according to the invention for ciphering data 
transmission in a radio system is presented in Figure 6. The performance of 
the method begins in block 600. 

In block 602 a ciphering key is generated according to a known 
technique, for example as described in the Background of the Invention 
section. 

In block 604A a ciphering mask is produced in a ciphering algorithm 
using the ciphering key as an input parameter. Also a logical channel specific 
parameter or a transport channel specific parameter is used as an additional 
input parameter to the ciphering algorithm. The logical channel specific 
parameter can be one of the following: a Radio Access Bearer Identifier, a 
Logical Channel Identifier, a Signaling Link Identifier, or some other parameter 
identifying the logical channel used. The transport channel specific parameter 
can be, for example, the Dedicated Channel Identifier, or some other 
parameter identifying the transport channel used. 

The term 'bearer 1 is a high-level name for transmission of 
information used in connection with a network service. Depending on the* 
services, information in the UMTS can usually be transmitted using one or 
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more bearers. The services include, for example, speech transmission, data 
services and video service. A radio bearer, on the other hand, represents that 
part of the bearer which extends over the air interface. One logical channel 
normally carries one radio bearer. A logical channel defines the service offered 
by the MAC layer. A logical channel can be mapped to different types of 
transport channels depending on the existing service mode (either to a 
dedicated transport channel or common transport channels). The transport 
channels define the services offered by the physical layer. It is also possible to 
multiplex several logical channels into one transport channel in the MAC layer. 
The transport channels are further mapped to physical channels in the 
physical layer. Several transport channels can be multiplexed into one 
physical channel by layer 1. It is also possible that after transport channel 
multiplexing the data stream is divided between several physical channels. 

The invention can thus be applied to a radio system whose 
terminals can communicate with other transceivers using one or more parallel 
radio bearers. Typically, when a call is established between a terminal and a 
network, a physical channel is first established for a Signaling Radio Bearer 
SRB between the terminal and the radio network subsystem, and once this 
channel has been established, the actual traffic bearer(s) can be established. 
The SRB can also be called a signaling link. 

The direction of transmission (up-link / down-link) can be used as 
an additional input parameter to the ciphering algorithm. 

Yet another parameter exists: a radio frame specific parameter can 
be used as an additional input parameter to the ciphering algorithm. The radio 
frame specific parameter can be, for example, the User Equipment Frame 
Number (UEFN), or some other parameter identifying the used radio frame. 
The radio frame specific parameter depends on the protocol layer where the 
ciphering function is implemented. If it is implemented in the protocol layer that 
is terminated in the UE and the CN, then a mechanism for conveying the used 
frame number to the receiving entity has to be defined. If the ciphering function 
is located in the MAC layer or layer 1 (or some other layer terminated in the 
UE and the node B or the RNC), a frame number at least partly consisting of 
the physical frame number can be used, which means that the used frame 
number need not be signaled with the data. 
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In block 606 ciphered data is produced by applying the ciphering 
mask to plain data, using for example the XOR operation as described in 
Table 1. 

Next, an elaborated example illustrating the implementation of the 
ciphering method in the transmitter and in the receiver is explained in 
connection with Figures 4A, 4B and AC. Only the relevant points will be 
illustrated, but it will be clear for a person skilled in the art how ciphering can 
be performed in various situations for example with different numbers of 
PDUs. 

Figure 4A describes a block diagram defining the basic ciphering 
environment defined in this invention. Generating means 408 are used for 
generating a ciphering key 410 according to a known technique. Connected 
with the generating means 408 there is a ciphering algorithm 400 for 
producing ciphering masks 41 2A, 41 2B, 41 2C. The ciphering algorithm uses 
the generated ciphering key 410 as an input parameter. The ciphering 
algorithm 400 uses a logical channel specific parameter 402A as an additional 
input parameter. 

In the receiver end, the logical channel specific parameter needed 
for deciphering can be read from an unciphered MAC header, for example 
from the C/T-field of the MAC header. The structure of the MAC PDU is 
illustrated in Figure 8. The MAC PDU consists of an optional MAC header 800 
and a MAC Service Data Unit (MAC SDU) 802. Both the MAC header and the 
MAC SDU are of variable size. The content and the size of the MAC header 
800 depend on the type of the logical channel, and in some cases none of the 
parameters in the MAC header 800 are needed. The size of the MAC-SDU 
802 depends on the size of the RLC PDU, which is defined during the set-up 
procedure. The MAC header 800 comprises a C/T-field 804This option allows 
efficient MAC multiplexing of different logical channels (or different instances 
of the same logical channel type) into one transport channel, both into 
dedicated transport channels and common transport channels. When this 
method is used, the MAC header is not ciphered, which allows separating the 
different MAC PDUs in the receiver end and which in the common channel 
mode allows reading the RNTI (Radio Network Temporary Identity) field that is 
needed for routing messages to the correct entity in the UTRAN. 

Connected with the ciphering algorithm 400 there are ciphering 
means 416A, 416B, 416C for producing ciphered data 418A, 418B, 418C by 
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applying the ciphering mask 412A, 412B, 412C to the plain data 414A, 414B, 
414C. As can be seen from Figure 4A, the plain data includes Radio Link 
Control Layer Protocol Data Units from at least two parallel logical channels, 
and for each logical channel an individual ciphering mask is produced. So in 
5 Figure 4A the ciphering masks 41 2A, 41 2B and 41 2C are all different from 
each other. 

In block 420 the ciphered RLC-PDUs are processed through the 
MAC layer and mapped into one Transport Block Set, i.e. MAC PDU Set. 

Another possible solution is one in which the plain data includes 
10 one Radio Link Control Layer Protocol Data Unit 41 4A from only one logical 
channel, and for said logical channel an individual ciphering mask 41 2A is 
produced. So the invention also works for the individual logical channel. 

Normally a new ciphering mask is produced for each radio frame of 
the physical layer of the protocol stack. If interleaving is used, then a new 
15 ciphering mask can be produced for each interleaving period of the physical 
layer of the protocol stack. Typically one interleaving period consists of several 
radio frames. 

The left-hand side of Figure 4A represents the operations carried 
out in the transmitter. The corresponding operations will also be carried out in 
20 the receiver, as illustrated on the right-hand side of Figure 4A. The only 
differences are that block 422 is used to derive RLC-PDUs out of the received 
Transport Block Set, and that the deciphering means 424A, 424B, 424C are 
used to decipher the received data. 

In one embodiment of the invention, a Radio Link Control Layer 
25 Protocol Data Unit of at least one logical channel is already ciphered, and the 
step of producing ciphered data is not repeated for said already ciphered 
Radio Link Control Layer Protocol Data Unit. It is thus avoided that the data 
would be ciphered twice. Of course, if for example such end-to-end ciphering 
is used, the data can be ciphered twice: first by the application using the 
30 service, and then by the MAC layer according to the invention. This will cause 
no loss of transmission capacity, as the XOR operation does not add any extra 
bits, even if it is performed twice. 

Figure 4B illustrates a solution to a situation where the plain data 
includes at least two successive Radio Link Control Layer Protocol Data Units 
35 of one logical channel. If we assume, for example, that the first RLC PDU 
414A and the second RLC PDU 414B are from one logical channel, then the 
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problem can be solved in such a way that only one ciphering mask 41 2A is 
produced for these PDUs 414A, 414B. Different parts of this ciphering mask 
412A are then used for ciphering the first PDU 414A and the second PDU 
414B. The length of the required ciphering mask 412A in this case is naturally 
the sum of the lengths of the first and the second PDU 41 4A, 41 4B. Because 
the PDUs 414A, 414B are from the same logical channel (same Radio Access 
Bearer), the maximum length required can be calculated as being two times 
the maximum RLC PDU size of that bearer. 

Figure 4C illustrates a situation where the plain data includes one 
Transport Block Set (TBS) including Medium Access Control Layer Protocol 
Data Units of at least two different logical channels, and for each Transport 
Block Set one ciphering mask 412 is used in producing the ciphered data. In 
this option, the basic unit to be ciphered is a Transport Block Set. This defines 
the required length of the ciphering mask 412 produced by the algorithm 400. 
Layer 1 still adds Transport Block specific CRCs (Cyclic Redundancy Check), 
but because the XOR operation does not change the length of data, it should 
be possible to cipher the whole TBS as one unit. The length of each transport 
block in the TBS has to be told to L1 anyway. This option has the 
disadvantage that the MAC header is also ciphered, and so the MAC PDUs 
cannot be routed anywhere on the network side before the TBS is deciphered. 
This is a problem if common channels over lur are possible. The length of the 
required ciphering mask 412 is equal to the maximum Transport Block Set size 
for the transport channel in question. 

Another possible solution is one in which the plain data includes 
one Transport Block Set including a Medium Access Control Layer Protocol 
Data Unit of one logical channel, and for each Transport Block Set one 
ciphering mask is used in producing the ciphered data. 

The solution of the invention is implemented in the radio system 
preferably by software, whereby the invention requires certain functions in the 
protocol processing software located in the transmitter and in the receiver, 
especially in blocks 204A, 204B and 226A, 226B of Figure 2A. Thus the 
generating means 408, the ciphering algorithm 400, and the ciphering means 
416A, 416B, 416C can be software modules of the protocol stack residing in 
the user equipment UE and in the radio network subsystem RNS. The solution 
can also be implemented with hardware, for example using ASIC (Application 
Specific Integrated Circuit) or discrete components. 
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The method of the invention can be implemented, for example, in 
the Medium Access Control Layer of the protocol stack. This is illustrated in 
Figure 7B, which shows a high-level overview of the MAC layer depicted in 
Figure 7A with ciphering functions included. C1() and C2() are two alternatives 
5 for the location of ciphering. C1(0), C1(1), C1(2) and C1(3) refer to the use of 
logical channel specific ciphering parameters as explained above with 
reference to Figures 4A and 4B, whereas C2(00), C2(01) and C2(02) refer to 
the use of transport channel specific ciphering parameters. Some MAC 
functions may be needed below C2(00), C2(01) and C2(02) blocks, but for the 

10 sake of clarity they are not illustrated here. Basically the RLC PDUs come to 
the MAC layer from each logical channel. In the MAC layer the RLC-PDUs are 
then mapped to the MAC PDUs in the functional blocks 700, 702, 704, which 
include the operations for the PCH, BCH, SCH, Dedicated Channel and 
Common Channel operations. Normally one RLC PDU is mapped to one MAC 

15 PDU (= Transport Block). This mapping realizes the mapping from a logical 
channel to a transport channel. The mapping rules have been explained above 
in connection with Figure 7C. If ciphering is used for the CCCH then a 
ciphering block, for example C1(4), should be in Figure 7B in the line between 
the 'CCCH' and the functional block 704. 

20 Even though the invention is described above with reference to an 

example shown in the attached drawings, it is apparent that the invention is 
not restricted to it, but can vary in many ways within the inventive idea 
disclosed in the attached claims. 
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CLAIMS 

1. A method of ciphering data transmission in a radio system, 
comprising: 

(602) generating a ciphering key; 

(604A) producing a ciphering mask in a ciphering algorithm using 
the ciphering key as an input parameter; 

(606) producing ciphered data by applying the ciphering mask to 

plain data; 

characterized by: , 

(604B) using a logical channel specific parameter or a transport 
channel specific parameter as an additional input parameter to the ciphering 
algorithm. 

2. The method as claimed in claim 1, characterized by 
using the direction of transmission as an additional input parameter to the 
ciphering algorithm. 

3. The method as claimed in claim ^characterized in that 
the logical channel specific parameter is one of the following: a Radio Access 
Bearer Identifier, a Logical Channel Identifier, a Signaling Link Identifier. 

4. The method as claimed in claim ^characterized in that 
the transport channel specific parameter is a Dedicated Channel Identifier. 

5. The method as claimed in claim 1, characterized by 
using a radio frame specific parameter as an additional input parameter to the 
ciphering algorithm. 

6. The method as claimed in claim 5, characterized in that 
the radio frame specific parameter is a User Equipment Frame Number. 

7. The method as claimed in claim 1, characterized in that 
the plain data includes Radio Link Control Layer Protocol Data Units from at 
least two parallel logical channels, and for each logical channel an individual 
ciphering mask is produced. 

8. The method as claimed in claim 7, characterized in that 
a Radio Link Control Layer Protocol Data Unit of at least one logical channel is 
already ciphered, and the step of producing ciphered data is not repeated for 
said already ciphered Radio Link Control Layer Protocol Data Unit. 

9. The method as claimed in claim 1, characterized in that 
the plain data includes one Radio Link Control Layer Protocol Data Unit from 
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one logical channel, and for said logical channel an individual ciphering mask 
is produced. 

1 0. The method as claimed in claim ^characterized in that 
the plain data includes at least two successive Radio Link Control Layer 
Protocol Data Units of one logical channel, and for each Radio Link Control 
Layer Protocol Data Unit a different part of the ciphering mask is used in 
producing the ciphered data. 

1 1 . The method as claimed in claim 1, characterized in that 
the plain data includes one Transport Block Set including Medium Access 
Control Layer Protocol Data Units of at least two different logical channels, 
and for each Transport Block Set one ciphering mask is used in producing the 
ciphered data. 

12. The method as claimed in claim 1, characterized in that 
the plain data includes one Transport Block Set including a Medium Access 
Control Layer Protocol Data Unit of one logical channel, and for each 
Transport Block Set one ciphering mask is used in producing the ciphered 
data. 

1 3. The method as claimed in claim ^characterized in that 
the ciphering is performed in the Medium Access Control Layer of a protocol 

stack. 

14. The method as claimed in claim 1, characterized in that 
a new ciphering mask is produced for each radio frame of the physical layer of 
the protocol stack. 

1 5. The method as claimed in claim ^characterized in that 
a new ciphering mask is produced for each interleaving period of the physical 
layer of the protocol stack. 

16. A user equipment (UE), comprising: 

generating means (408) for generating a ciphering key (410); 

a ciphering algorithm (400) connected with the generating means 
(408) for producing a ciphering mask (41 2A, 41 2B, 41 2C) using the ciphering 
key (410) as an input parameter; 

ciphering means (41 6A, 41 6B, 41 6C) connected with the ciphering 
algorithm (400) for producing ciphered data (41 8A, 41 8B, 41 8C) by applying 
the ciphering mask (412A, 412B, 412C) to plain data (414A, 414B, 414C); 

characterized in that: 
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the ciphering algorithm (400) uses a logical channel specific 
parameter (402A) or a transport channel specific parameter (402B) as an 
additional input parameter. 

17. The user equipment as claimed in claim 16, charac- 
5 terized in that the ciphering algorithm (400) uses the direction of 

transmission as an additional input parameter. 

18. The user equipment as claimed in claim 16, charac- 
terized in that the logical channel specific parameter (402A) is one of the 
following: a Radio Access Bearer Identifier, a Logical Channel Identifier, a 

10 Signaling Link Identifier. 

19. The user equipment as claimed in claim 16, charac- 
terized in that the transport channel specific parameter (402B) is a 
Dedicated Channel Identifier. 

20. The user equipment as claimed in claim 16, charac- 
15 terized in that the ciphering algorithm (400) uses a radio frame specific 

parameter (404) as an additional input parameter. 

21. The user equipment as claimed in claim 20, charac- 
terized in that the radio frame specific parameter (404) is a User 
Equipment Frame Number. 

20 22. The user equipment as claimed in claim 16, charac- 

terized in that the ciphering means (41 6A, 41 6B, 41 6C) accept plain data 
(414A, 414B, 414C) including Radio Link Control Layer Protocol Data Units 
from at least two parallel logical channels, and the ciphering algorithm (400) 
produces for each logical channel an individual ciphering mask (41 2A, 41 2B, 

25 412C), and the ciphering means (416A, 416B, 416C) use for each logical 
channel the ciphering mask (41 2A, 41 2B, 41 2C) of said channel. 

23. The user equipment as claimed in claim 22, charac- 
terized in that a Radio Link Control Layer Protocol Data Unit (41 4C) of at 
least one logical channel is already ciphered, and the ciphering means (41 6C) 

30 do not cipher said already ciphered Radio Link Control Layer Protocol Data 
Unit (414C). 

24. The user equipment as claimed in claim 16, charac- 
terized in that the ciphering means (416A) accept plain data (414A) 
including a Radio Link Control Layer Protocol Data Unit from one logical 

35 channel, and the ciphering algorithm (400) produces for said logical channel 



an individual ciphering mask (41 2A), and the ciphering means (41 6A) use for 
said logical channel the ciphering mask (412A) of said channel. 

25. The user equipment as claimed in claim 16, charac- 
terized in that the ciphering means (426) accept plain data including at 
5 least two successive Radio Link Control Layer Protocol Data Units of one 
logical channel, and the ciphering algorithm (400) produces for said logical 
channel an individual ciphering mask (41 2A), and the ciphering means (426) 
use for each Radio Link Control Layer Protocol Data Unit different part of the 
ciphering mask (41 2A). 

10 26. The user equipment as claimed in claim 16, charac- 

terized in that the ciphering means (434) accept plain data including one 
Transport Block Set including Medium Access Control Layer Protocol Data 
Units of at least two different logical channels, and the ciphering algorithm 
(400) produces for each Transport Block Set an individual ciphering mask 

15 (412), and the ciphering means (434) use for each Transport Block Set one 
ciphering mask (412). 

27. The user equipment as claimed in claim 16, charac- 
terized in that the ciphering means (434) accept plain data including one 
Transport Block Set including a Medium Access Control Layer Protocol Data 

20 Unit of one logical channel, and the ciphering algorithm (400) produces for 
each Transport Block Set an individual ciphering mask (412), and the 
ciphering means (434) use for each Transport Block Set one ciphering mask 
(412). 

28. The user equipment as claimed in claim 16, cha rac- 
25 t e r i z e d in that the generating means (408), the ciphering algorithm (400), 

and the ciphering means (41 6A, 41 6B, 41 6C) reside in the Medium Access 
Control Layer of a protocol stack. 

29. The user equipment as claimed in claim 16, charac- 
terized in that the ciphering algorithm (400) produces a new ciphering 

30 mask (41 2A, 41 2B, 41 2C) for each radio frame of the physical layer of the 
protocol stack. 

30. The user equipment as claimed in claim 16, charac- 
terized in that the ciphering algorithm (400) produces a new ciphering 
mask (41 2A, 41 2B, 41 2C) for each interleaving period of the physical layer of 

35 the protocol stack. 

31. A radio network subsystem (RNS), comprising: 



22 

generating means (408) for generating a ciphering key (410); 

a ciphering algorithm (400) connected with the generating means 
(408) for producing a ciphering mask (41 2A, 41 2B, 41 2C) using the ciphering 
key (410) as an input parameter; 
5 ciphering means (41 6A, 41 6B, 41 6C) connected with the ciphering 

algorithm (400) for producing ciphered data (41 8A, 41 8B, 41 8C) by applying 
the ciphering mask (412A, 412B, 412C) to plain data (414A, 414B, 414C); 

characterized in that: 

the ciphering algorithm (400) uses a logical channel specific 
10 parameter (402A) or a transport channel specific parameter (402B) as an 

additional input parameter. 

32. The radio network subsystem as claimed in claim 31, 

characterized in that the ciphering algorithm (400) uses the direction 

of transmission as an additional input parameter. 
15 33. The radio network subsystem as claimed in claim 31, 

characterized in that the logical channel specific parameter (402A) is 

one of the following: a Radio Access Bearer Identifier, a Logical Channel 

Identifier, a Signaling Link Identifier. 

34. The radio network subsystem as claimed in claim 31, 
20 characterized in that the transport channel specific parameter (402B) 

is a Dedicated Channel Identifier. 

35. The radio network subsystem as claimed in claim 31, 
characterized in that the ciphering algorithm (400) uses a radio frame 
specific parameter (404) as an additional input parameter. 

25 36. The radio network subsystem as claimed in claim 35, 

characterized in that the radio frame specific parameter (404) is a 
User Equipment Frame Number. 

37. The radio network subsystem as claimed in claim 31, 
characterized in that the ciphering means (416A, 416B, 416C) 

30 accept plain data (41 4A, 41 4B, 41 4C) including Radio Link Control Layer 
Protocol Data Units from at least two parallel logical channels, and the 
ciphering algorithm (400) produces for each logical channel an individual 
ciphering mask (41 2A, 41 2B, 412C), and the ciphering means (41 6A, 41 6B, 
41 6C) use for each logical channel the ciphering mask (412A, 41 2B, 412C) of 

35 said channel. 



23 

38. The radio network subsystem as claimed in claim 37, 
characterized in that a Radio Link Control Layer Protocol Data Unit 
(414C) of at least one logical channel is already ciphered, and the ciphering 
means (41 6C) do not cipher said already ciphered Radio Link Control Layer 

5 Protocol Data Unit (41 4C). 

39. The radio network subsystem as claimed in claim 31, 
characterized in that the ciphering means (41 6A) accept plain data 
(41 4A) including a Radio Link Control Layer Protocol Data Unit from one 
logical channel, and the ciphering algorithm (400) produces for said logical 

10 channel an individual ciphering mask (41 2A), and the ciphering means (41 6A) 
use for said logical channel theciphering mask (41 2A) of said channel. 

40. The radio network subsystem as claimed in claim 31, 
characterized in that the ciphering means (426) accept plain data 
including at least two successive Radio Link Control Layer Protocol Data Units 

15 of one logical channel, and the ciphering algorithm (400) produces for said 
logical channel an individual ciphering mask (41 2A), and the ciphering means 
(426) use for each Radio Link Control Layer Protocol Data Unit a different part 
of the ciphering mask (41 2A). 

41. The radio network subsystem as claimed in claim 31, 
20 characterized in that the ciphering means (434) accept plain data 

including one Transport Block Set including Medium Access Control Layer 
Protocol Data Units of at least two different logical channels, and the ciphering 
algorithm (400) produces for each Transport Block Set an individual ciphering 
mask (412), and the ciphering means (434) use for each Transport Block Set 
25 one ciphering mask (412). 

42. The radio network subsystem as claimed in claim 31, 
characterized in that the ciphering jneans (434) accept plain data 
including one Transport Block Set including a Medium Access Control Layer 
Protocol Data Unit of one logical channel, and the ciphering algorithm (400) 

30 produces for each Transport Block Set an individual ciphering mask (412), and 
the ciphering means (434) use for each Transport Block Set one ciphering 
mask (412). 

43. The radio network subsystem as claimed in claim 31, 
characterized in that the generating means (408), the ciphering 

35 algorithm (400), and the ciphering means (416A, 416B, 416C) reside in the 
Medium Access Control Layer of a protocol stack. 
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44. The radio network subsystem as claimed in claim 31, 
characterized in that the ciphering algorithm (400) produces a new 
ciphering mask (412A, 412B, 412C) for each radio frame of the physical layer 
of the protocol stack. 

45. The radio network subsystem as claimed in claim 31, 
characterized in that the ciphering algorithm (400) produces a new 
ciphering mask (412A, 412B, 412C) for each interleaving period of the 
physical layer of the protocol stack. 



ABSTRACT 

The invention relates to a method of ciphering data 
transmission in a radio system, and to a user equipment 
using the method, and to a radio network subsystem using 
the method. The method includes the steps of: (602) 
generating a ciphering key; (604A) producing a ciphering 
mask in a ciphering algorithm using the ciphering key as 
an input parameter; (604B) using a logical channel 
specific parameter or a transport channel specific 
parameter as an additional input parameter to the 
ciphering algorithm; and (606) producing ciphered data by 
applying the ciphering mask to plain data. 
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602 GENERATING A CIPHERING KEY 



604A PRODUCING A CIPHERING MASK IN A 

CIPHERING ALOGORITHM USING THE 
CIPHERING KEY AS AN INPUT PARAMETER 

604B USING A LOGICAL CHANNEL SPECIFIC 
PARAMETER OR A TRANSPORT CHANNEL 
SPECIFIC PARAMETER AS AN ADDITIONAL 
INPUT PARAMETER TO THE CIPHERING 
ALGORITHM 

1 

606 PRODUCING CIPHERED DATA BY APPLYING 
THE CIPHERING MASK TO PLAIN DATA 
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